Authorization Bypass Due to Undefined KMS Key Policy in Terraform

High Risk Infrastructure Security
awskmsencryptionkey-policyauthorization

What it is

Unrestricted or unintended principals may use, decrypt, or manage the key, enabling data exposure, privilege escalation, or destructive key operations.

Why it happens

Creating KMS keys without defining an explicit key policy, relying on default permissions.

Root causes

Missing Key Policy Definition

Creating KMS keys without defining an explicit key policy, relying on default permissions.

Policy Complexity Avoidance

Skipping key policy configuration due to perceived complexity of KMS policy syntax.

Copy-Paste Configurations

Using incomplete KMS key examples from documentation that omit key policies.

Fixes

1

Define Explicit Key Policy

Add a policy attribute to aws_kms_key resources specifying who can manage and use the key.

2

Follow Principle of Least Privilege

Grant only specific IAM principals the minimum permissions needed for key operations.

3

Enable Key Rotation

Set enable_key_rotation: true along with proper policies to ensure keys are automatically rotated.

Detect This Vulnerability in Your Code

Sourcery automatically identifies authorization bypass due to undefined kms key policy in terraform and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities